Can open, DNA worms everywhere

pinkypinky · 03-02-2019 12:51pm #1

So FTDNA has decided to change their Terms of Service and allow law enforcement access to their database. It appears that they did this at some point in December 2018 without informing the existing users.

This move allows (presumably US only?) law enforcement organisations to upload kits and utitise the matching services in the same way a commercial user does. It does not allow them access to non-matching kits without valid legal methods like a warrant or subpoena.

Let's be clear here. Gedmatch is already allowing it. The difference is that they put a notice on their homepage saying so, immediately once they discovered their database had been used to find the (alleged) Golden State Killer, and gave users the opportunity to pull their data if they wanted.

FTDNA has done this without telling their users. I logged into my own kit just now and there's no notification, no email. Here's their press release.
I've got lots of kits on their site and am currently waiting for results on a new one.
I don't have a problem with my DNA being used to catch criminals, particularly involving violent crimes.
But I do think FTDNA should have informed users in advance. I'm not going to remove my data, not least because it's cost a lot of money to acquire these services (and added massively to my knowledge of my ancestry) but I am VERY DISAPPOINTED.

The Legal Genealogist blog has a good post, if you want to read more.

punisher5112 · 03-02-2019 12:57pm

One way of looking at it is that if you have nothing to hide or done nothing serious wrong then it really isn't a issue imo.

I think it would be great if every new born had a file created and this could be kept for catching serious offenders.

Look at all the unsolved murders, tapes and serious assaults for example go on to be never closed.

pinkypinky · 03-02-2019 1:00pm

See, I don't agree with that "if you've nothing to hide..." argument, because "nothing to hide" does not equal "I do not want any privacy".
If you've nothing to hide why not insist that pseudonyms or avatars are never used online?
People might have very good reasons to hide things that are not criminal.

Donnielighto · 03-02-2019 1:01pm

punisher5112 wrote: »

One way of looking at it is that if you have nothing to hide or done nothing serious wrong then it really isn't a issue imo.

I think it would be great if every new born had a file created and this could be kept for catching serious offenders.

Look at all the unsolved murders, tapes and serious assaults for example go on to be never closed.

That first line is very dangerous. Had been used in the past for government overreach. Letting people know would be enough.

CPTM · 03-02-2019 1:14pm

pinkypinky wrote: »

See, I don't agree with that "if you've nothing to hide..." argument, because "nothing to hide" does not equal "I do not want any privacy".
If you've nothing to hide why not insist that pseudonyms or avatars are never used online?
People might have very good reasons to hide things that are not criminal.

Yes, but there's a big difference between having a DNA sample on file, and stripping someone of their privacy. First of all, DNA data is unreadable in isolation, in that you can't build a picture of someone's beliefs, ideologies, or intentions by just looking at their DNA. You can't judge them differently having looked solely at their DNA. What you're comparing it to is stripping someone of their right to anonymity when seeking advice or debating topics online. To me they are two different things. One can impact their social standing, the other can't?

punisher5112 · 03-02-2019 1:16pm

Donnielighto wrote: »

That first line is very dangerous. Had been used in the past for government overreach. Letting people know would be enough.

Oh I agree if terms are changing they should be made aware.

I'm looking at the side of the victims and family and friends...... They shouldn't be left not knowing and more importantly the person or persons that carry out such terrible crimes should be caught.

Look at all the failings from police forces over the years where they even had the killer for example and let them go or had stopped them and because they didn't talk to each other or link things they would get away.

Look at those that were imprisoned but weren't the ones that done the crime, DNA set them free and if they had of had the actual criminals DNA they would know this.

pinkypinky · 03-02-2019 5:53pm

Further thought, after some reading, I don't think this change to their terms of service is GDPR compliant. And we know the DPC in Ireland is not pro-genealogy.

hblock21 · 03-02-2019 10:44pm

Just recieved this email now.

A letter from Bennett Greenspan, FamilyTreeDNA Founder

Dear Customers:

I am writing to address the news that our Gene-by-Gene laboratory, which processes genetic tests for several commercial clients in addition to all of the FamilyTreeDNA tests, has processed a handful of DNA samples for cold cases from the F.B.I. In many cases, the news reports contained false or misleading information.

Let me start with this categorical statement:

LAW ENFORCEMENT DOES NOT HAVE OPEN ACCESS TO THE FTDNA DATABASE.

They cannot search or “dig through” FTDNA profiles any more than an ordinary user can. As with all other genetic genealogy services, law enforcement must provide valid legal process, such as a subpoena or search warrant to receive any information beyond that which any other user can access.

I have been an avid genealogist since I was twelve years old. FamilyTreeDNA is not just a business, it is my passion. I fully understand your privacy concerns on a personal level.

Law enforcement has the ability to test DNA samples from crime scenes and upload the results into databases, like any other customer can, and it appears they have been doing it at other companies for the past year. The distinction is that, according to our Terms of Service and Privacy Policy, we expect the FBI and law enforcement agencies to let us know when they submit something to our database. We moved to something transparent, rather than having them work in a stealthy way. Other than that, nothing changed that affects the privacy of our customers.

FamilyTreeDNA has always taken your privacy seriously and will continue to do so. We’ve remained steadfast, always, refusing to sell your data to pharmaceutical companies and other third parties.

One of the key reasons law enforcement wanted to submit their samples to us is the same reason many of you have: out of all the major companies, FamilyTreeDNA is the only one that has its own lab, and our customers’ samples never leave our company.

As previously stated, law enforcement can only receive information beyond that which is accessible to the standard user by providing FamilyTreeDNA with valid legal process, such as a subpoena or a search warrant. Again, this is specified in FamilyTreeDNA’s Terms of Service, just as with all other companies.

ABOUT OUR TERMS OF SERVICE

The Terms of Service were changed in May of 2018 to reflect GDPR requirements, and we informed our customers about the update at that time. Those changes included a paragraph that required law enforcement to receive our permission to enter the database and since it was a part of the overall update, notice was sent to every FTDNA customer. Without infringing upon our customers’ privacy, the language in the paragraph referring to law enforcement was updated in December, although nothing changed in the actual handling of such requests. It was an oversight that notice of the revision was not sent to you and that is our mistake. Therefore, we are reverting our TOS to our May 2018 version, and any future changes will be communicated to you in a timely manner.

This is the May 2018, GDPR-compliant version, communicated to you at that time: “You agree to not use the Services for any law enforcement purposes, forensic examinations, criminal investigations, and/or similar purposes without the required legal documentation and written permission from FamilyTreeDNA.”

WE WILL DO A BETTER JOB OF COMMUNICATING WITH YOU.

I am genuinely sorry for not having handled our communications with you as we should have.

We’ve received an incredible amount of support from those of you who believe this is an opportunity for honest, law-abiding citizens to help catch bad guys and bring closure to devastated families. We want you to understand, as many of you already do, that you have the same protections that you’ve always had and that you have nothing to fear.

We’ve also heard from supporters offering ideas and solutions to make the FamilyTreeDNA experience a more comfortable one in light of this new information.

We are listening. Our plan is to create a panel of citizen genealogist advisors who will work with us as we focus on how to make your FamilyTreeDNA experience the best one available.

Sincerely,

Bennett Greenspan
President
FamilyTreeDNA.com

Ipso · 03-02-2019 11:12pm

But it’s not a back door where they can trawl through everything, anyway what’s tonstop someone working anywhere to get a DNA sample from someone else and do the same thing?

pinkypinky · 03-02-2019 11:12pm

Yes, I also got that this evening.
It's a start.
They've recognised that they fecked up.

pedroeibar1 · 04-02-2019 12:55pm

FTDNA’s problem is more about a breach of user conditions by law enforcement agencies than by FTDNA.
For the last 30 years most people have been sheep when it came to their data privacy. Supposedly it’s a trade-off, “You share your data with us, we will help you obtain what you are looking for”. However, it’s all about money and the balance is heavily tipped in favour of the big corporations who are mining your data and at best using it for research (GSK+23andMe) or at worst Facebook & Google) selling it for profit. The FTDNA story is only the tip of a very large iceberg and their ‘access conditions’ breach is not the worst case by a long way, when compared with what Facebook was complicit in doing with Cambridge Analytica.

Data helps vendors target their advertising – the more data the more accurate their targeting can be. In genealogy, even if your tree is ‘private’ online’, just look at the number of tantalising ‘hints’ that show up (although many are wildly inaccurate!). It’s not a faulty algorithm, it’s an attempt to sell you more, either a subscription or an upgrade, from a 37-marker to a 67-marker, from a UK & Irl sub to a premium or world sub. Hammered home every time you log on.

In some cases there is a trade-off, e.g. the profiling cards such as ‘Frequent Flyer’ are around since the 1980’s, Supermarket ‘loyalty’ cards have been with us since the mid-1990’s and will give you upgrades/flights/cash-back/offers. Others offer little or nothing: Google was the first to heavily exploit ‘private’ data and built on it from 2001 when it started to collect customers’ completed searches and use it to target them with specific advertising. By 2004 its advertising revenue had increased by almost 3,000%, (when we also found out that it was using our data!). The arrogance was astounding – the then CEO Erik Schmidt said “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place!”

In the late 1990’s we had the ‘Aware Home’ groups (a prominent one in Georgia Tech) working on the interaction between homes and their inhabitants, e.g. ‘smart fridges’, temperature control sensors that increased room heating. Its policies/guidelines have long since been dumped by the tech companies. A couple of years ago a study by Prof. Ian Walden of University of London showed that the Google-owned ‘Nest’ thermostat when fully connected to accompanying apps, involved almost one thousand data privacy contracts. If you don’t agree to them you won’t get upgrades/patches and are told its functionality and your security are compromised.

Today’s Irish Independent reports that banks owned by BMW, VW, and Renault loaned just under €1bn to Irish motorists in 2018. Just consider the data they now hold and what they will be able to do to the borrowers in their ‘smart’ cars.

No point in complaining if you still have an Amazon or Facebook account, or a LinkedIn profile, or apps (particularly health-related) on your smart phone. Paradoxically it is the educated wealthy individuals that are most likely to be conned into parting with their data.

pinkypinky · 04-02-2019 10:00pm

That is probably true but it's off-topic here.

The point is that FTDNA changed their own T&Cs and didn't advise users, which infringes on GDPR and, according to many Americans, the 4th amendment to their constitution.

I've asked family members to do tests for me and they've agreed. I feel I probably should be contacting them all now, explaining what's happened and asking them to reconsent or not.

pedroeibar1 · 05-02-2019 1:24am

pinkypinky wrote: »

That is probably true but it's off-topic here.

The point is that FTDNA changed their own T&Cs and didn't advise users, which infringes on GDPR and, according to many Americans, the 4th amendment to their constitution.

I've asked family members to do tests for me and they've agreed. I feel I probably should be contacting them all now, explaining what's happened and asking them to reconsent or not.

It is true and my points are germane, because in a thread on data sharing they illustrate the careless manner in which many already freely allow their data to be collected and (mis)managed.

As for contacting family for renewal of their consents, with respect, I believe that you are making a mountain out of a molehill. FTDNA has said

“The Terms of Service were changed in May of 2018 to reflect GDPR requirements, and we informed our customers about the update at that time. Those changes included a paragraph that required law enforcement to receive our permission to enter the database”

The actual clause is

“You agree to not use the Services for any law enforcement purposes, forensic examinations, criminal investigations, and/or similar purposes without the required legal documentation and written permission from FamilyTreeDNA.”

FTDNA goes on to say

“Without infringing upon our customers’ privacy, the language in the paragraph referring to law enforcement was updated in December, although nothing changed in the actual handling of such requests………………law enforcement must provide valid legal process, such as a subpoena or search warrant to receive any information beyond that which any other user can access.”

They also reconfirmed that Law enforcement agencies don’t have open access to their database. They have admitted that they

“processed a handful of DNA samples for cold cases from the F.B.I.”

and from the FTDNA text I infer that this was unwitting, as the FBI did not notify them. Whose fault is that? (Technically, FTDNA should have notified customers and data regulators of what could, in effect, be deemed a data breach.)

Those in the US who rabbit on about the Fourth Amendment are talking nonsense IMO, as that amendment does not guarantee protection from all searches and seizures, but only those deemed unreasonable under the law. When analysing the reasonableness standard, the US court uses an objective assessment and considers factors including the degree of intrusion and the manner in which it was conducted. Trying to match (on a quasi-public database) a DNA sample of a serial murder/rapist would IMO not be viewed as an unreasonable intrusion by any court, even in the US.
I view the main 'surprise event' in Ireland for those who tested with any DNA company is the discovery of a heretofore unknown half sibling or cousin. No bad thing, that, but it would screw-up inheritance planning!

pinkypinky · 05-02-2019 1:05pm

We're just going to have to disagree.

Vetch · 05-02-2019 9:23pm

pinkypinky wrote: »

We're just going to have to disagree.

I’ll agree with you that FTDNA should have informed customers about the changed T&Cs. That said, the entire business model of these genealogy DNA testing companies rests on data sharing and their databases are open to use/exploitation by people interested in things other than tracing their distant family history.

The ultimate fact here is that law enforcement can seek personal data to fight crime. For example, the new Irish Data Protection Act provides for this. FTDNA may have made a strategic decision that by allowing law enforcement to join as ordinary members and getting them to identify select users they were actually interested in that it prevents law enforcement speculatively contacting them looking for evidence.

Renegade Mechanic · 05-02-2019 9:25pm

I don't know what's funnier. The fact that this happened or the fact that people genuinely believed it wouldn't. Just wait till ye go for health insurance...

And pray it doesn't become mandatory like car insurance

[Deleted User] · 05-02-2019 9:25pm

Anyone who voluntarily gives their DNA to these companies, and who uses private health insurance, is a bit of a fool.

pinkypinky · 05-02-2019 11:18pm

Ads by Google - a lot of people in this forum have done so and we don't appreciate being called fools.

My issue is all about how this was managed and whether it breaks the law in Europe. I've always expected this kind of thing would happen and don't personally have an issue with my own DNA being used for this purpose, but others who willingly shared their DNA with me for genealogical purposes might not be happy now.

[Deleted User] · 05-02-2019 11:28pm

People need to know that their genetic nformation can be hacked, sold, or be legally made do anything.

This thread is about one of those "steps" in that direction, and one of the first post was about have nothing to hide. My post wasn't aimed at the people who've done it already, it was aimed at people who haven't considered every angle. Health insurance being a major one I will absolutely see a headline about before I die.

pinkypinky · 05-02-2019 11:47pm

Fine - that's a more reasoned argument than just baldly insulting people.

c.p.w.g.w · 05-02-2019 11:49pm

I think health insurers will certainly try and utilize all this DNA data around. Looking at certain genes and risk factors, and calculate insurance premium's.

Ipso · 06-02-2019 12:08am

Ads by Google wrote: »

People need to know that their genetic nformation can be hacked, sold, or be legally made do anything.

This thread is about one of those "steps" in that direction, and one of the first post was about have nothing to hide. My post wasn't aimed at the people who've done it already, it was aimed at people who haven't considered every angle. Health insurance being a major one I will absolutely see a headline about before I die.

Anyone can access your DNA, you leave traces everywhere. What’s to stop nsomeone taking an indirect sample and selling it to the highest bidder?

[Deleted User] · 06-02-2019 12:38am

Ipso wrote: »

Anyone can access your DNA, you leave traces everywhere. What’s to stop nsomeone taking an indirect sample and selling it to the highest bidder?

Nothing.

Much like no one can stop my TV getting stolen. Doesn't mean I should give it away because of that.

upupup · 06-02-2019 1:09pm

Ads by Google wrote: »

Anyone who voluntarily gives their DNA to these companies, and who uses private health insurance, is a bit of a fool.

This is the Paranoia of our Modern world,Big brother is watching and recording Everything and if you don't agree with me then "You are a bit of a fool".

This way of thinking can suggest a simple visit to your doctor(blood test) is Dangerous,as he is in cahoots with Big pharma and the Insurance companies.
The electronic devices we use everyday are far more dangerous to our privacy than sharing Dna........so anybody who uses modern technology must be "a bit of a fool"

I believe all the above is happening in our modern world but I am not going to worry about it or hide under a rock, protecting my dna and turning off my electronic connection to the world because that is a paranoid step backwards in my view.

L1011 · 06-02-2019 1:58pm

Ads by Google wrote: »

Anyone who voluntarily gives their DNA to these companies, and who uses private health insurance, is a bit of a fool.

c.p.w.g.w wrote: »

I think health insurers will certainly try and utilize all this DNA data around. Looking at certain genes and risk factors, and calculate insurance premium's.

You are both aware that health insurers are required to use community rating in Ireland and have no mechanism to charge people any more or less on any basis at all?

You can be crumbling and have DNA that dooms you to die slowly and expensively and you pay the same as the healthiest person going. They can't even charge smokers more!

pedroeibar1 · 06-02-2019 11:38pm

A DNA test can be used to determine predisposition to cancer risk, Parkinsons, etc. Suggesting that people should not test is the same as telling people not to test for prostate or breast cancer in their annual medical check-up.

In addition to the accurate comment by L1011 above on health insurance, several posts above on DNA and health insurance are grossly misinformed and scaremongering. In Ireland, under the provisions of Part 4 of the Disability Act 2005, an insurer cannot request, take into account or process the results of genetic tests. Even in capitalist USA, use of DNA testing by health insurers is expressly forbidden by direct legislation in about one third (and growing) of states. In all states considerable protection is provided by the Federal Genetic Information Nondiscrimination Act (GINA) which prevents genetic discrimination in the health insurance sector. This law obviously has an impact on the profits of health insurers ; for quite some time rating agencies such as Moodys have factored the losses/negative aspect of this into the rating of companies in the life/health insurance sector. In the EU the situation regarding private DNA testing (not just for insurance) is more complex, with different laws applying in many jurisdictions, from outright bans to testing only via a doctor (Germany) or requiring court approval for paternity tests (France).

Law enforcement agencies have always been obliged to use a subpoena/court order to gain data info., even before GDPR. Furthermore for DNA evidence to be admissible in court, most jurisdictions require that it be initiated by court order and undertaken by a court approved lab. Nothing, of course, can prevent an enforcement officer from doing a solo run to gain info. - we've seen how some of the Gardai here operate.

As I mentioned in an earlier post the real issue in Ireland is not from law agencies but from discovering a sibling/relative. There is an interesting US sibling story HERE

pinkypinky · 07-02-2019 3:40pm

Podcast discussing it here now.

[Deleted User] · 07-02-2019 7:21pm

pedroeibar1 wrote: »

A DNA test can be used to determine predisposition to cancer risk, Parkinsons, etc. Suggesting that people should not test is the same as telling people not to test for prostate or breast cancer in their annual medical check-up.

In addition to the accurate comment by L1011 above on health insurance, several posts above on DNA and health insurance are grossly misinformed and scaremongering. In Ireland, under the provisions of Part 4 of the Disability Act 2005, an insurer cannot request, take into account or process the results of genetic tests. Even in capitalist USA, use of DNA testing by health insurers is expressly forbidden by direct legislation in about one third (and growing) of states. In all states considerable protection is provided by the Federal Genetic Information Nondiscrimination Act (GINA) which prevents genetic discrimination in the health insurance sector. This law obviously has an impact on the profits of health insurers ; for quite some time rating agencies such as Moodys have factored the losses/negative aspect of this into the rating of companies in the life/health insurance sector. In the EU the situation regarding private DNA testing (not just for insurance) is more complex, with different laws applying in many jurisdictions, from outright bans to testing only via a doctor (Germany) or requiring court approval for paternity tests (France).

Law enforcement agencies have always been obliged to use a subpoena/court order to gain data info., even before GDPR. Furthermore for DNA evidence to be admissible in court, most jurisdictions require that it be initiated by court order and undertaken by a court approved lab. Nothing, of course, can prevent an enforcement officer from doing a solo run to gain info. - we've seen how some of the Gardai here operate.

As I mentioned in an earlier post the real issue in Ireland is not from law agencies but from discovering a sibling/relative. There is an interesting US sibling story HERE

Good info and puts my mind at rest. It's not paranoia to mention that things can change in the next decades but I trust that IE and EU can protect us legally.

So my initial point about people being a bit foolish, well I'm undecided. I still won't get it done, unless I can do it anonymously (which maybe I can).

upupup · 08-02-2019 12:20am

Ads by Google wrote: »

unless I can do it anonymously (which maybe I can).

yes you can.

Can open, DNA worms everywhere

Comments